malwarewikiaorg-20200223-history
W32.Ahker.F@mm
W32.Ahker.F@mm is a worm that was discovered on March 31, 2005. It infects Microsoft Windows 95, 98, Me, NT, 2000, XP, and Server 2003 computers. Payload When W32.Ahker.F@mm is executed, it performs the following actions: #Copies itself as %Windir%\LSASS.EXE. Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt. #Drops a copy of itself as C:\Documents and Settings\User\Start Menu\Startup\SVCHOST-.EXE. #Adds the values:to the registry subkey:to disable the Registry Editor and the Task Manager. #Modifies the values:in the registry subkey:to change the name of the computer. #Adds the value:to modify security settings. #Adds the value:to the registry subkeys:to modify firewall settings. #Adds the values: to the registry subkeys: to modify security settings. #Adds the values: to the registry subkeys: to modify security settings. #Adds the value:to the registry subkey: #Creates the file %Windir%\firewall.dll, which contains the following message: #Creates the file %System%\svcpack.dll, which is not malicious. Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP). #Appends the following message to the file %System%\hal.dll: #Adds the following values: to the registry subkey:to disable several programs including the Registry Editor, Notepad, and Wordpad. #Adds the value:to the registry key:so that the worm executes when Windows starts. #Adds the value:to the registry key:so that the worm executes when Windows starts. #Adds the value:to the registry key: #Modifies the value:in the registry subkey:so that the worm is executed each time a .txt file is opened. #Modifies the value: in the registry subkey:so that the worm is executed each time a .txt file is opened. #Adds the value:to the registry subkey: #Adds the values:to the registry subkey:Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files. #Adds the value:to the registry subkey: #Ends the fowllowing processes, which diables several security programs and other worms: #*bbeagle.exe #*ccApp.exe #*d3dupdate.exe #*i11r54n4.exe #*irun4.exe #*mscvb32.exe #*msblast.exe #*navapw32.exe #*navw32.exe #*netstat.exe #*outpost.exe #*rate.exe #*ssate.exe #*sysinfo.exe #*teekids.exe #*taskmon.exe #*wincfg32.exe #*winsys.exe #*winupd.exe #*zapro.exe #*zonealarm.exe #*MSBLAST.exe #*PandaAVEngine.exe #*Penis32.exe #*SVCHOST.EXE #*SysMonXP.exe #Modifies certain registry keys in order to disable the following programs: #*AntiVirus #*autoupdate #*Explorer #*Firewall #*registrytool #*System Restore #*Tsk manager #Disables the following applications: #*regedit.exe #*msnmsgr.exe #*notepad.exe #*svchost-.exe #*wordpad.exe #*write.exe #*wuauclt.exe #*wupdmgr.exe #*AUPDATE.exe #*ALUNOTIFY.exe #*DAP.exe #*LUALL.exe #Adds the following lines to the Hosts file to block access to several Web sites, some of which may be security related: #Spreads by sending a copy of itself to email addresses gathered from a compromised computer. The email has the following characteristics: From: One of the following: #*owner@xxxceleb.com #*Clip@celebporno.com #*cought@worldporn.com Subject One of the following: #*Please READ! #*Service Pack 2 Update! #*Read this for your own good! #*Service Pack 2 BUG! #*Read it! #*READ! HURRY! BEFORE It's too late! #*Read this TWICE! #*Microsoft Windows Service Pack 2 Bug! #*Adminstrator #*Microsoft's Worst Mistake! #*Read this for your PC safety! Message Body:' #*Hey buddy,Check out this new porn clip of Britney Sprears!Very Short but HOT!!DOWNLOAD IT and WATCH IT! #*Hello!Paris Hilton new SEX TAPE has been released!In the attachment you will find some short quick scenes(HOT!!) that I liked the most!!Clip OwnerAdmin@fuckcelebrity.comDownload it! I know it's SHORT but at least you've watched the HOTTEST parts of it!Owner #*Hi...Watch this and tell me what you think!Download it! It's short but it's VERY HOT!Hell yeah...it's Pam!Watch this latest clip of Pamela Anderson!You will find the clip in the attachment! Enjoy!Admin #* Attachment: Clip.zip' Note: '''When Clip.zip is run, the worm downloads a copy of itself from the following domian: ''''removed/ahkerf.zip Statistics *Wild: Low *Damage: Medium *Removal: Medium *Distrubution: High Category:Worm Category:Win32 Category:Win32 worm Category:Microsoft Windows Category:Win9x Category:Win9x worm